Home / malwarePDF  

Worm:Win32/Autorun.AHY


First posted on 20 October 2014.
Source: Microsoft

Aliases :

There are no other names known for Worm:Win32/Autorun.AHY.

Explanation :

Threat behavior

Installation

Worm:Win32/Autorun.AHY copies itself to c:\documents and settings\administrator\application data\musallat.exe. The malware creates the following files on your PC:

  • c:\documents and settings\administrator\application data\declare.ini


Spreads via€¦

Removable and network drives

Worm:Win32/Autorun.AHY can copy itself to network and removable drives, such as USB flash drives. It also creates an autorun.inf file in the root folder of the removable drive. The file has instructions to launch the malware automatically when the removable drive is connected to a PC with the Autorun feature turned on. This is a common way for malware to spread. However, autorun.inf files on their own are not necessarily a sign of infection; they are also used by legitimate programs.

Note: We haven't seen this worm create an autorun.inf file. This could be because it doesn't spread immediately, or it might be ordered to spread from a remote source.

Payload

Changes system security settings

Worm:Win32/Autorun.AHY disables the Least Privileged User Account (LUA), also known as the ?administrator in Admin Approval Mode? user type. It does this by making the following registry modifications:

Sets value: "EnableLUA"
With data: "0"
In subkey: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System

Note: Disabling the LUA allows all applications to run by default with all administrative privileges. You won't be asked for explicit consent.
This malware description was produced and published using automated analysis of file SHA1 3b218dddd052c165d9a58e2de29373757ff77d02.Symptoms

System changes

The following could indicate that you have this threat on your PC:

  • You have these files:

    c:\documents and settings\administrator\application data\declare.ini
    c:\documents and settings\administrator\application data\musallat.exe
  • You see these entries or keys in your registry:

    Sets value: "EnableLUA"
    With data: "0"
    In subkey: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System

Last update 20 October 2014

 

TOP

Malware :

Family: